GDPR – Not as terrifying as you think!

There appears to be a lot of scaremongering surrounding the new data protection guidelines due to come into force on 25th May 2018. General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is the new law which will be replacing the Data Protection Act 1998.

The focus seems to be on the big fines (20 million Euros or 4% of group worldwide turnover) associated with breaches of the new law, but in reality, these fines are just for the big players in the data storage game and highly unlikely to be enforced on smaller organisations such as housing providers.

Many software companies and legal organisations have jumped on the bandwagon offering expensive pieces of software and training courses to make sure that you are GDPR compliant, but actually, there are some simple guidelines provided by the ICO (the Information Commissioner’s Office) and a simple diagram to follow. The ICO is the UK’s independent body set up to uphold information rights.

A good starting point to ensuring GDPR compliance is to start a Data Audit within your organisation. Take a look at all the data that you store and log where you are keeping it, why you are keeping it and for how long. Remember that data is not just digital and that paper records also need to be GDPR compliant, i.e. kept securely and with consent of the data subject. Data should have a legal basis for being held and the reasons for storing the data should be shared with those consenting.

Accompanying the new GDPR will be more awareness by the Government and press of individuals’ rights to their data and knowing that their data is being stored safely. This may lead to a higher number of information requests by the public, which will legally have to be responded to within a time limit. It will be necessary, therefore, to update your policies on dealing with these requests as well as your data retention policy, as having less data in your organisation will make these requests easier and result in fewer data breaches. Look back in your archives and decide whether you actually need to keep that data and whether you legally should be doing so.

In the age of cloud computing, a lot of data is now stored off-site in web-based systems. As part of your data audit, it is important that you go back to your suppliers of these systems and ensure they too are GPDR compliant in how your data is kept, and revisit this periodically.

An important thing to remember is that Data Breaches are bound to happen! Fines for these are unlikely to be given out for small issues such as an incorrect letter going out to a tenant, but larger breaches could cause reputational damage. It is important that your data (digital and paper) is kept secure and this might be a good time to review your policies on taking IT equipment and files off-site. If you do have laptops being taken off-site make sure that data is encrypted using free tools such as BitLocker which comes with Windows.

This quick overview of such a large area is to assist our readers to begin to understand what is coming next year. Daniel Maher our digital specialist will revisit some of this in future articles.